A Security Primer for Mac OS X

The recent security issues that have affected Windows users have led
the media--and sometimes even Mac-specialized publications--to talk
about the shortcomings of the Windows security scheme and to provide surprisingly
detailed advice.

So far, Mac users indeed have been luckier. Mac OS X is relatively secure out
of the box, and Apple has been good about providing easily installable
security updates as needed.

Unfortunately, some Mac users forget that security is more than just
applying the occasional patch. It is a continuously evolving quest that
requires additional steps to make their systems more secure. Luckily,
the Unix foundation of Mac OS X, Darwin,
has provided us with powerful tools that we can leverage to help our
computers remain secure in an otherwise dangerous world.

In this article, I'll take a hands-on approach to what I call "security
through common sense," the basic security steps that every single
Mac user should take.

Disclaimers

Security is a touchy topic and nobody owns a definitive security
answer. This article presents the steps that I would personally recommend,
but my views may differ from those of your network administrator, company,
or school--either because you need a greater level of security, or because
the organization relies on other, internally tested, solutions. In any
case, please consult your IT department before implementing these steps.

If you handle very sensitive data, I would advise you to seek professional
advice. Using a Mac is an excellent way to protect data--since they
are extremely secure--but you may need to implement industrial-strength
firewalling and intrusion-detection software. This is obviously out
of the scope of this article.

I have tested the third-party software I link to on my own machines.
However, please understand that I have no "insider knowledge" about
these applications and that I cannot endorse them.

Why Should I Protect My Mac?

Many Mac and computer users in general do not take additional security
steps to protect their data because they have the feeling that they
have "nothing to hide" or that they do not store any valuable information
on their computers.

Unfortunately, this comforting theory overlooks the fact that most
of the time, hackers don't try to attack your computer or your network
because you are who you are. Indeed, most of the time, attacked computers
are chosen semi-randomly: because they have detected that you have an
unusual amount of traffic; because you run an unprotected Windows 95
computer somewhere on your network that makes it easy to crack; and so on.

Some people will try to break into your computer "for fun." However,
nowadays, many exploits have a unique goal--turn the computer into
some kind of zombie that the attacker will be able to steal confidential
information from (can you swear that your credit card number isn't stored
somewhere on your computer?), or perform illegal actions in your
own name. Therefore, in most cases, hacking a computer is worth the time and effort spent, even if the person who tries to break in has no
idea who you are.

Even worse, in some countries, not having any protection in place can
be seen by the law as an implicit approbation of what other people could
do on your computer without your knowledge--the good old "this person
wasn't protected, this shows that he didn't mind what could happen."
Would something go wrong, being able to prove that your computer was
indeed protected may be a good way to show your true intentions.

The Basics

Now that we have discussed a bit about why security is important, I'm going
to walk you through the basic steps of securing your Mac. This first
part will give you an overview of things you might know already, but
maybe include a new wrinkle or two.

Know Your Computer

Most security issues nowadays rely on simple social engineering techniques--convince a user to download an application or run a special command
that opens a breach in the security systems that have been set up. That's
how most Windows viruses propagate, and we've all seen how effective
this approach is.

By knowing Mac OS X better, you will be able to avoid common mistakes--like turning on Windows file sharing and FTP services "just in case."
This may sound silly but this is the most essential step towards good
security and will allow you to react in an efficient manner to incidents
and potential issues.

Of course, we assume that you already know that you are not supposed
to open unknown emails attachments, run strange applications, and so
on. You should exercise the same caution on your computer that you would
in the real world when dealing with strangers, let's say on a dark street
at around 3:00 a.m.

Stay Up to Date with Security News

As a concerned citizen of your country, you are already trying to keep
up with the current events, on a local, national and international scale.
That's great! But do you do the same when it comes to computer-related
news?

Indeed, the best way to defeat social engineering and to avoid issues
is to be aware of what's going on in the security world.

Luckily, this can be done in very simple ways. This
page provides you with simple tips to learn more about security
issues as soon as they are discovered. I would highly recommend that
you subscribe to Apple's security-announce mailing list as well.

Also, you may want to keep an eye on the recent virus outbreaks and
security issues. Indeed, even reading about Windows- and Linux-only viruses
and trojan horses will give you a good idea of what's happening on the
network and how social engineering works. A good place to start is this
page.

Would a Mac virus be discovered, you will then notice it immediately
and be able to take the appropriate steps.

Ensure Local Security

In this article, we're going to focus on network-born threats. However,
there can be no network security if anyone can sit in front of your
screen, alter your settings, and then use the new setup to attack you
remotely.

You should also turn automatic login off, and make sure that authentication
is required to alter the settings of most preferences panes--this
can be all done through the "Security" preferences pane. Also, get into
the habit of using the "Lock screen" feature--available through the
Keychain menu--whenever you step away from your keyboard, even for
a few minutes.

Finally, you may want to have a look at FileVault
and decide whether or not you want to run it.

Keep Your System Up to Date

The Mac OS X development team does its absolute best to provide you
with a secure operating system and may release, from time to time, security
updates--even when there's no known exploit.

I would recommend that you apply these updates as soon as they are released,
to make sure that you do not give time to attackers to exploit a known
vulnerability. Indeed, it is now quite easy to find software on the
Internet that will automatically try to break into computers and report
all the vulnerabilities found in a specific machine, along with tips
about how to use them. In many countries, such software is perfectly legal
and some authors update their applications daily!

The most convenient way to update your applications is, of course, to
use the "Software Update" preferences pane, available through the "System
Preferences" application. It will take care of finding the updates you
need, then download and install them, making securing your computer
very easy. Unlike some update mechanisms featured by other operating
systems, "Software Update" checks that the files that it downloads indeed
come from the Apple servers--and not from any server that claims to
be Apple.

For maximum security, you may want to download updates manually from
the recently redesigned Support
downloads page. The main advantage is that you will be given the
option to manually test the authenticity of the file you download--an added security--by using the "md5" utility. The main drawback is
that updates are usually posted on the downloads site with a slight
delay--24 hours in most cases.

md5 is a Unix command-line utility that allows you to read the "checksum"
of a file. Like fingerprints, checksums are unique identifiers that
correspond to a specific file and it is highly unlikely--some say
virtually impossible--to find two different files with the same checksum.
Would the checksum provided by md5 on your Mac and the one provided
by Apple on the downloads site match, you can be virtually sure that
you have downloaded the right file and that it has not been altered
during the download.

To check a file's md5 checksum, simply open a Terminal window and type
the following command: "md5 /path/to/the/file". Then, press return
and compare the string returned with the one displayed on the download
page.

md5 checksums now have known flaws that could potentially allow someone
to forge an altered file with the same checksum. This is, however, very
unlikely and md5 is still widely seen as a safe way to check the integrity
of files--provided, of course, that the web site that is used as a
reference hasn't been hacked too!

As important as it is to keep your operating system up to date, you should
also not forget to update your applications.

Applications

Many applications are updated frequently for security reasons, including third-party web browsers, email readers, and Microsoft Office. As long as you are running them, it is extremely important to update them too, since they could
potentially allow an attacker to run malicious code on your computer--consider macro viruses, for example.

Many software authors now provide you with software update-like features
but, unfortunately, very few have actually implemented security checks
in them. Therefore, I would recommend that you use these features to
check if an update is available on a regular basis but go to the actual
application site to download it. If the authors do not provide an md5
checksum, you may want to ask them to get into the habit
of posting one.

Software Update will usually notify you about updates to the
Apple applications you have installed on your computer, even if
they are not bundled with the standard Panther installation.